We recently came across a case where when there are wild card search like " ab bcd xyz" (just an example to indicate that wild cards are present beginning and end or anywhere on multiple words). Similar searches when lot of users execute in parallel the server does not respond and resources shoots 100%. The only option to recover was to restart the cluster.
This falls to a potential case for ddos attacks. Is there any configuration or a control that can be kept in the query to kill the request if it takes more time like 5second or so and release the resources used by this query?
search string did not carry * in the forum.. hence expanding it to words (ST)=*
" (ST)a(ST) b (ST)bcd(ST) (ST)z(ST) "
ES versions in use are 7.0, 6.1